Search code examples
ubuntupermissionsxorgxserver

Running a display-based program without calling sudo / not as root

I have an Ubuntu server that runs a program that uses the gpu. Till now, to run my program, I’ve been calling

  • export DISPLAY=:0
  • export XAUTHORITY=/var/run/lightdm/root/:0

Which works, however, this requires me to run my application as root, since root owns that :0 file. Ultimately, my question is how to configure my system to avoid this?

Some background:

This server is currently configured to bring up lightdm at startup. lightdm in turn starts Xorg, with -auth /var/run/sddm/root/:0, such that ps -aux shows this as a process:

/usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch

While playing around, I’ve succeeded in configuring everything so I don’t need sudo by:

  • calling export XAUTHORITY=~/.Xauthority
  • adding a cookie for :0 in my user’s .Xauthority file with mcookie|sed -e 's/^/add :0 . /'|xauth
  • stopping lightdm
  • restarting Xorg with -auth “$HOME/.Xauthority”

This is all well and good, but not a deployable solution. So here are other concerns:

If Xorg is to be brought up at boot time, how to provide access to specific users? Or should it somehow be brought up when users log on? If I'll be doing everything from the command line, do I even need lightdm? What are my options here, and what's the best way?

Solution

  • There are several possibilities.

    An easy one ist to allow access to an already running X with xhost (But use of xhost is rather discouraged, using cookies is considered to be more secure):

    xhost +SI:localuser:USERNAME

    Another one is to extract the cookie name from ps -aux as you did and copy it to ~/.Xauthority. Change ownership for ~/.Xauthority to the user. Only the user should have rw-access (chmod 600).

    Another possibility is to get a new cookie from X if it runs with X extension SECURITY. Be aware that you already need access to already running X to get a new cookie:

    xauth -f /home/USERNAME/.Xauthority generate $DISPLAY . trusted

    Standard way: Create a cookie for option -auth before starting X with

    export XAUTHORITY=$HOME/.Xauthority
export DISPLAY=:0
xauth -f $XAUTHORITY add $DISPLAY . $(mcookie)

    restarting Xorg with -auth “$HOME/.Xauthority”

    Be careful; check if $HOME/.Xauthority already exists and is not empty; otherwise X runs without authentication protocol at all, and everyone can access it. Rather create a cookie yourself with xauth.

    I am not sure what you want to accomplish; just be aware that allowing access for multiple users to the same X display is a security risc / privacy leak. X clients can spy on each other.